Proxy and user cert not working (Apple TV 4K)

Hi Dimitry,

I found something interesting in Apple Developer support regarding adding a root certificate to AppleTV. They want to add a private CA root(and possibly intermediate) to AppleTV. Note, this is simulator and developer. How much is usable for public version is ??

The TVOS 15 trust store has the obvious well known public CAs, digicert. Godaddy, an Apple root etc. What about Adding the root and intermediate(if applicable) of your private CA to AppleTV? Maybe that’ll make the AppleTV<~>Proxy HTTPS comms much happier?

Installing custom root certificates in AppleTV: https://developer.apple.com/forums/thread/696926

Hi Dimitry, (disclaimer, I work with private CAs, self signed certs, public issued signed certs -- but little with Proxies)

-Host(AppleTV)<->Proxy<->Far End -- all using HTTPs. One cert validation process from Host to Proxy, another cert validation process Proxy to Far End.

-It is working from Host <-> Proxy <-> Far End AppleTV+(and certain other app servers). This tells me the client(Host)<->Proxy segment must be validating server identity and client identify (successful cert validation/no HTTPS exception error).

This suggests to me the issue is Proxy-<->Far End. But why would it be working with some and not with others (presumably everything is using HTTPS).

-Proxies can filter by IP/domain. Could ti be filtering/blocking to whatever (for example Netflix servers) the IP address of the servers?

-Proxies, I believe, can filter by port. Any chance there is a port range being blocked?

-Allow/Deny lists in place anywhere?

-Some servers(services) don't like traffic from Proxies. Unlikely but worth a check.

-Hard to see this being a Proxy<->Far End certificate issue. Presumably the Proxy would have the root/intermediate of every well known public CA (such as GoDaddy) as evidenced by AppleTV+ servers (and others) validating cert/HTTPS is good.

If you take the Proxy out, all the AppleTV apps work properly?

Good call on decompiling the open source to see that a private CA is not honored. But then why would AppleTV+ on AppleTV box work at all? If I'm following this correctly -- maybe not -- in theory the AppleTV box based AppleTV+ app shouldn't work at all if it is behind a Proxy (AppleTV+ would always be confronted with the private CA issued cert on the Proxy). But it is with some apps/far end servers.

On the PC behind the Proxy you used for testing, what about loading the apps (AppleTV+, Prime)? The apps seem likely to be using different ports if not some sort of differentiation in SSL validation. Ideally one won't work. Then you can run Wireshark on the PC and get a pcap (you may be able to do that with both hosts being remote, but in your LAN. If you can I haven't done that). That'll at least tell you where it is stopping/retransmitting without success.

If they all work then you can eliminate the apps themselves and pretty much say the issue lives AppleTV box/TVOS <-> Proxy and with specific apps Maybe Apple and Amazon are putting in their apps a unique validation process? That's a tough one. If nothing else I'd run over the settings in the Proxy. I've run into a small check box in a mundane menu setting making it all work. .